2024-04-11 02:50:57 -04:00
|
|
|
const cookies = require('cookie');
|
|
|
|
|
const jwt = require('jsonwebtoken');
|
|
|
|
|
const { logger } = require('~/config');
|
|
|
|
|
|
|
|
|
|
/**
|
2024-04-14 19:34:13 -04:00
|
|
|
* Middleware to validate image request.
|
|
|
|
|
* Must be set by `secureImageLinks` via custom config file.
|
2024-04-11 02:50:57 -04:00
|
|
|
*/
|
|
|
|
|
function validateImageRequest(req, res, next) {
|
2024-04-14 19:34:13 -04:00
|
|
|
if (!req.app.locals.secureImageLinks) {
|
|
|
|
|
return next();
|
|
|
|
|
}
|
|
|
|
|
|
2024-04-11 02:50:57 -04:00
|
|
|
const refreshToken = req.headers.cookie ? cookies.parse(req.headers.cookie).refreshToken : null;
|
|
|
|
|
if (!refreshToken) {
|
|
|
|
|
logger.warn('[validateImageRequest] Refresh token not provided');
|
|
|
|
|
return res.status(401).send('Unauthorized');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
let payload;
|
|
|
|
|
try {
|
|
|
|
|
payload = jwt.verify(refreshToken, process.env.JWT_REFRESH_SECRET);
|
|
|
|
|
} catch (err) {
|
|
|
|
|
logger.warn('[validateImageRequest]', err);
|
|
|
|
|
return res.status(403).send('Access Denied');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const currentTimeInSeconds = Math.floor(Date.now() / 1000);
|
|
|
|
|
if (payload.exp < currentTimeInSeconds) {
|
|
|
|
|
logger.warn('[validateImageRequest] Refresh token expired');
|
|
|
|
|
return res.status(403).send('Access Denied');
|
|
|
|
|
}
|
|
|
|
|
|
2024-07-17 09:51:03 -04:00
|
|
|
const fullPath = decodeURIComponent(req.originalUrl);
|
|
|
|
|
const pathPattern = new RegExp(`^/images/${payload.id}/[^/]+$`);
|
|
|
|
|
|
|
|
|
|
if (pathPattern.test(fullPath)) {
|
2024-04-11 02:50:57 -04:00
|
|
|
logger.debug('[validateImageRequest] Image request validated');
|
|
|
|
|
next();
|
|
|
|
|
} else {
|
2024-07-17 09:51:03 -04:00
|
|
|
logger.warn('[validateImageRequest] Invalid image path');
|
2024-04-11 02:50:57 -04:00
|
|
|
res.status(403).send('Access Denied');
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
module.exports = validateImageRequest;
|
